Your ExpressionEngine database holds member records, Freeform submissions, and Cartthrob orders — and whoever you give your credentials to for the migration has access to every record in it.
What Is Actually Inside an ExpressionEngine Database
ExpressionEngine sites that have been running for years accumulate layers of personal data across multiple tables. The exp_members table holds every registered member: username, email address, hashed password, IP address at registration, last activity timestamp, and any custom member field data. The exp_channel_data and related tables hold all channel entry content including author attribution. Freeform and Solspace Calendar store submission data in their own tables. Cartthrob stores complete customer and order records. Sites using Zoo Visitor have structured front-end member data that may include billing addresses, phone numbers, and membership tier information.
All of that is in the database file that anyone who handles your migration will download to their system. The question of who holds that data, for how long, under what security conditions, and with what deletion commitment is not optional to think about.
Your EE database during migration with a provider who has no data handling policy.
What Has Gone Wrong in Real Migrations
A contractor turned off the firewall for ten minutes while migrating data to ElasticSearch. This exposed the database to attackers who breached over 5 billion data records.
Keepnet Labs breach, documented by Caylent security research
This was not a website CMS migration. It was a data infrastructure transfer. But the exposure mechanism is identical to what happens in a CMS migration when a contractor works on an unencrypted local machine, stores credentials in email, or uses a shared server without access controls. A ten-minute window of exposure is all it takes. For an ExpressionEngine site with thousands of member records and years of form submissions, ten minutes is enough time for an opportunistic attacker to copy the entire database.
Data is particularly vulnerable during transit and temporary storage phases. Without proper encryption and access controls, you are essentially broadcasting sensitive information. Customer data intercepted during migration, personally identifiable information exposed due to misconfigured permissions. These are not hypothetical scenarios.
Monte Carlo Data, Data Migration Risks, September 2025
For ExpressionEngine specifically, the credential exposure risk is compounded by the architecture. An EE admin login gives access to the backend, all channel entry data, all member accounts, all template code, and all file assets. Database credentials expose the full EE schema including add-on-specific tables that may contain data the site owner does not immediately recognize as sensitive. FTP or SSH credentials expose the entire server environment.
The Freelancer and Cheap Tool Problem
The freelancer who migrated your EE site last week: still has the database export, no obligation to delete it.
ExpressionEngine migrations are genuinely difficult. They require someone who understands EE channel structure, Matrix and Grid field tables, Playa relationship schemas, the member system, and how to map all of this to WordPress. Finding a freelancer who can do the technical work competently is already hard. Finding one who also has a formal data protection process is extremely rare. Here is what you typically do not get.
- No Data Processing Agreement. GDPR Article 28 requires a signed DPA before any third party processes personal data on your behalf. An EE database almost certainly contains personal data from EU residents. A freelancer who has not heard of a DPA cannot be operating within a GDPR-compliant framework.
- No credential security policy. Your EE admin credentials, database password, and FTP/SSH access are typically sent by email, stored in a client folder, and retained indefinitely. No encrypted vault. No deletion timeline. No audit trail.
- No data retention policy. The database export downloaded to run the migration stays on the freelancer’s machine or hosting account after the job. For how long? There is no answer. No secure deletion. No notification to you when it finally disappears.
- No breach notification obligation. If the freelancer’s system is compromised while holding your data, they have no contractual obligation to tell you. Your members’ data could be circulating without your knowledge.
- No professional liability. If the migration corrupts EE data structures, loses Matrix field content, breaks Playa relationships, or triggers a GDPR investigation, a marketplace freelancer has no insurance and no legal exposure. You absorb the cost entirely.
- EE-specific technical failures. Most freelancers who advertise EE migrations underestimate the complexity of Matrix tables, channel relationship structures, and member custom field data. The result is a “completed” migration missing 30% of the structured content with no audit trail to tell you what went wrong.
Why Automated Migration Tools Are Not the Answer
ExpressionEngine has no equivalent of WordPress’s WXR export format. Tools that claim to migrate EE to WordPress typically work by installing a connector on your source EE site and routing content through the tool’s own servers for processing. This creates two problems simultaneously: a security problem (your data passes through infrastructure you have not audited and have no contractual data protection relationship with) and a technical problem (the tool processes basic channel entry data but silently drops Matrix field tables, Playa relationship data, member custom fields, and add-on-specific content that sits outside the standard EE schema).
If your EE site has EU users and you use an automated migration tool without a signed DPA with that provider, you are processing personal data outside a lawful data sharing framework. GDPR fines for unlawful data processing start at 2% of annual global turnover or €10 million, whichever is higher, regardless of whether a data breach occurs.
How gConverter Does It
How gConverter starts every ExpressionEngine migration: legal documentation before any data access.
gConverter is a registered US company with full EU GDPR compliance for all European and international clients. We act as a Data Processor under GDPR Article 4(8) with a documented six-step security process that applies to every migration, including ExpressionEngine.
Step 1: DPA and NDA before credentials
Before you share any access credentials, you receive a Data Processing Agreement for review and signature. For GC-ExtraSecurity clients, a Non-Disclosure Agreement is also executed. No data access is granted until both documents are in place. The DPA defines exactly what we process, the lawful basis, retention limits, and our liability in the event of a breach.
Step 2: Encrypted credential vault
Your EE admin login, database credentials, and FTP/SSH access are transmitted via an encrypted channel, never by email. They are stored immediately in an AES-256 encrypted vault accessible only to the assigned engineer and deleted within 24 hours of job completion with written confirmation.
Step 3: Isolated staging environment
Your database is transferred over TLS 1.3. For GC-ExtraSecurity clients, processing happens on a dedicated Hetzner EU server in Frankfurt, keeping all data inside the EEA. For standard clients, processing is on the assigned engineer’s encrypted machine (Apple FileVault AES-256). Your data is never on shared hosting and never co-located with other clients’ data.
Steps 4 to 6: Logged migration, verified delivery, 30-day deletion
Every database interaction is logged. The migration is completed on staging and presented to you for approval before going live. After launch, credentials are revoked and deleted immediately. All customer data is permanently deleted within 30 days using secure overwrite. Breach notification within 72 hours if required by Article 33.
Read the complete GDPR and Data Protection documentation →
Questions to Ask Any ExpressionEngine Migration Provider
- Will you sign a Data Processing Agreement before accessing any data? No DPA means no GDPR compliance and legal exposure for your organization.
- How do you handle EE-specific data: Matrix tables, Playa relationships, member custom fields? If they cannot answer specifically, they have not done it properly before.
- How are credentials transmitted and stored? Acceptable: encrypted channel and vault. Not acceptable: email, Slack, or any plain-text method.
- Where is my data processed and stored during migration? Specific server location, encryption method, and single-engineer access requirement.
- When and how is my data deleted after completion? Timeline and deletion method (secure overwrite, not trash).
- Do you carry professional liability insurance? Without it, there is no financial recourse if the migration causes data loss or a security incident.
- What is your breach notification procedure? A provider without a documented breach response has no obligation to tell you if your data is compromised.
The Technical Side Matters Too
Security is the non-negotiable baseline. But a migration that is secure but technically incomplete is still a failed migration. A complete EE to WordPress migration covers all channel entries by type, Matrix and Grid field data mapped to ACF Pro Repeater fields, Playa and Relationship field connections preserved as ACF Relationship fields, member accounts with role mapping, Freeform submission data archived in WordPress, SEO meta data from NSM Better Meta or native EE fields transferred to Yoast SEO, 301 redirects for every changed URL, navigation menus rebuilt from Structure or EE’s native menu module, and a custom WordPress theme that matches the original EE template output exactly.
For the complete picture of why organizations are moving off ExpressionEngine and what the migration process covers technically: Why Website Owners Are Switching From ExpressionEngine to WordPress →
To discuss your specific site: ExpressionEngine to WordPress migration at gConverter →
What Our Clients Say
Went FAR above and beyond to help us work through this project. We are thrilled with the final result and they were professional, great to work with, and responsive every step of the way. Would highly recommend.
Anna P., Wilmington NC – Customer Lobby, January 2026
Extremely professional and efficient, we had very good contact, the work was done in due time.
Timoti F., Berlin DC – Customer Lobby, February 2024
The outcome when data security and technical quality are both done right: a verified handover you can trust.
The Bottom Line
An ExpressionEngine database is not just content. It is the accumulated personal data of everyone who ever registered on your site, submitted a form, or made a purchase. Migrating that data requires the same governance, documentation, and accountability as any other personal data processing activity under GDPR. Most freelancers and tools do not meet that standard.
gConverter is US-registered and EU GDPR-compliant, with signed legal agreements before access, AES-256 encryption at rest, TLS 1.3 in transit, EU server options, and 30-day data deletion. Before the job starts, you have a signed DPA. While it runs, your data is encrypted, isolated, and logged. When it ends, your data and credentials are gone from our systems.